CVE-2020-7106
MEDIUMCacti 1.2.8 - Stored Cross-Site Scripting in Multiple Pages via Description Parameter
Title source: llmDescription
Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.php, graphs.php, graph_items.php, lib/api_automation.php, user_admin.php, and user_group_admin.php, as demonstrated by the description parameter in data_sources.php (a raw string from the database that is displayed by $header to trigger the XSS).
References (11)
Core 11
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Cacti/cacti/issues/3191
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00014.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SUSOTOIEJKD2IWJHN7TY56TDZJQZJUVJ/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XLZAMGTW2OSIBLYLXWHQBGWP7M4DTRS7/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00001.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00005.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-40
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00042.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00048.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00032.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/03/msg00038.html
Scores
CVSS v3
6.1
EPSS
0.0409
EPSS Percentile
88.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (11)
cacti/cacti
< 1.2.9
debian/debian_linux
8.0
debian/debian_linux
9.0
fedoraproject/extra_packages_for_enterprise_linux
7.0
fedoraproject/extra_packages_for_enterprise_linux
8.0
fedoraproject/extra_packages_for_enterprise_linux
9.0
fedoraproject/fedora
30
fedoraproject/fedora
31
opensuse/backports_sle
15.0 sp1
opensuse/leap
15.1
... and 1 more
Published
Jan 16, 2020
Tracked Since
Feb 18, 2026